All Linux kernels released after 2017 are vulnerable to critical privilege escalation bugs. A tiny 732-byte exploit grants root privileges across all major Linux distributions, with containerized environments being especially vulnerable. The proof of concept and patches are publicly available.

Attackers with initial access to a Linux system can run a tiny script as any unprivileged user, gain complete access, and even escape Kubernetes containers.

Security researchers at Theori disclosed a critical logic flaw in the Linux Kernel that gives users a root shell. The proof-of-concept is just 732 bytes of Python code, using only standard library modules and requiring no extra dependencies.

Dubbed Copy Fail, and tracked as CVE-2026-31431, the exploit is “a straight-line logic flaw,” requiring no race conditions or kernel-specific offsets.

“Same script, four distributions, four root shells – in one take. The same exploit binary works unmodified on every Linux distribution,” the blog post by Xint Code, Theori’s AI security scanning platform, explains.

“An unprivileged local user can write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root.”

The researchers warn that any kernel built between 2017 and the patch release is vulnerable.

They directly tested the exploit on Ubuntu, Amazon Linux, RHEL, and SUSE, but Debian, Arch, Fedora, and other distributions behave the same, the report claims. The script requires no recompilation or version checks.

Multiple versions of the exploit have already appeared in Go, C, and likely other programming languages, making it even more dangerous and requiring no Python at all.

“Patch first,” the researchers urge. “Update your distribution's kernel package to one that includes mainline commit a664bf3d603d.”

They warn that the exploit is extremely serious, as it allows container escape. Kubernetes/Docker and other containers run on the host kernel and share page cache, a portion of RAM that the kernel uses to hold file data from the storage device.

An attacker from one container can run code, compromise the whole node, and gain access to every other tenant running on it.

The exploit is also stealthy, running entirely in RAM and leaving no traces on disk.

“On eviction or reboot, the cache reloads clean, and a forensic disk image shows the original file,” the report reads.

How does the exploit work?

The exploit targets the page cache to modify the cached copy of /usr/bin/su – the command Linux uses to switch users. The kernel loads a binary from the cache, and if it is modified, it will run the tampered code.

For the exploit to work, the researchers abused three kernel features that are safe only in isolation.

The Linux kernel allows unprivileged users to run hardware-accelerated encryption using the AF_ALG crypto API. Using it, any user can encrypt or decrypt data without privileges.

To move data into crypto operations without copying it, the kernel uses a system called splice().

When splice() moves a file into a crypto operation, the data passes the page cache, stored in memory, directly.

The actual logic flaw lies in the Linux kernel’s authencesn cryptographic template, which handles VPN traffic by combining encryption and authentication into a single operation. This feature was added in 2011 and was never intended to be accessible to userspace programs.

Authencesn’s buffer is used as a scratch pad during the decryption process, but the problem is that it writes 4 bytes past its legitimate boundary, and never restores them.

In 2017, a performance optimization was made. Instead of separate input and output buffers, the kernel’s crypto layer started using the same memory for both. Suddenly, the stray 4 bytes started landing directly on the in-memory copy of the target file.

Essentially, this enables attackers to repeatedly call a kernel encryption function and loop writing 4-byte values to the page cache, gradually replacing the legitimate command in RAM.

Ultimately, malicious code can be injected into the in-memory copy of the su binary. Then the attacker runs su command, the kernel loads a tampered version from the page cache, and gives the attacker root privileges.

“Nobody connected the 2017 in-place optimization to authencesn's scratch writes or to the splice path's use of page cache pages. Each change was reasonable in isolation. The vulnerability exists at the intersection of all three, and has been silently exploitable for nearly a decade,” the detailed Xint’s report explains.

The researchers also explain that this bug can be exploited to target any program running on Linux as root, such as passwd, chsh, chfn, mount, sudo, or pkexec, not only su.

Should you be afraid?

“If you run multi-tenant Linux, shared-kernel containers, CI runners that execute untrusted code, or anything where someone you don’t fully trust can execve as a regular user – yes. Patch” the report concludes.

The flaw was reported to Linux’s kernel security team on March 23rd, 2026, two days after the patches were proposed and reviewed. From April 1st, 2026, the patch was committed to the mainline.

“Patches are available through the Linux kernel stable tree. The fix reverts the problematic in-place operation handling and simplifies AD copying in the algif_aead module. Multiple patch commits are available,” SentinelOne writes in a security advisory.

If immediate patching is not available, the researchers suggest disabling the algif_aead module, restricting access to the AF_ALG socket interface using kernel configuration or security modules, and applying Apply SELinux or AppArmor policies to limit which processes can access the cryptographic socket interface.

GrapheneOS said that its users are immune to the vulnerability due to the deep integration of SELinux in the Android Open Source Project (AOSP).

“AOSP only permits using specific types of sockets throughout the OS. It only permits the dumpstate process used to create bug report zips to access AF_ALG sockets,” the post on X reads.

According to the National Vulnerability Database, the bug’s severity rating is 7.8 out of 10.

---

Unlock exclusive Cybernews content on YouTube.